Compartilhar via

How To Obtain The Name Of The Client From The ASP Server

  • Artigo

Here's a question about client side vs. server side scripting that I got recently:

I want to get the machine name of the client the request is being made from. With ASP I can get the IP address using this code: ipaddr = Request.ServerVariables("REMOTE_ADDR") But I don’t know how to get the name of the machine. Is there something I could do from the client side?

No, the web browser client cannot determine the name of the machine for two reasons.

First, if it could then the client could be instructed to send the name of the machine to an evil server. Evil hackers would love to have an internet web page that harvested intranet machine names that they could then attack. Knowing the name of a machine is particularly useful for social engineering attacks -- if someone phoned me up claiming to be from our IT department, I'd be a lot more inclined to believe them if they knew the names of all my machines.

Second, look at it from the other way.  Suppose the client magically figures out its name and sends it to the server.  Why should the server trust the client?  What stops an evil client from sending a bogus name to the server? Even if the client could send the name, the server can't make any decisions based on that name, so it's kind of useless.

Clients and servers should not trust each other.  In the absence of authentication evidence, clients must assume that all servers are run by evil hackers and servers must assume that all clients are run by evil hackers.  Once you accept that fundamental design principle then it becomes much easier to reason about client-server interactions. Think like an evil person!

Another developer who saw this question suggested running this code on the server:

name = Request.ServerVariables("REMOTE_HOST")

That's a good start but not the whole story. By default this doesn't actually give you the remote host -- it just gives you the IP address again. If you want this to actually give you the name of the remote machine then there's some additional work you have to do. Since we have the IP address then we can do a reverse DNS lookup to see if there is a friendly name associated with that address. Now the server is trusting not an arbitrarty client but rather a specific reverse DNS server.

Read this Knowledge Base article on how to configure your server to automatically do Reverse DNS lookups when the code above is called.

https://support.microsoft.com/default.aspx?scid=kb;en-us;Q245574

Note that this will make your server performance worse, and of course is not guaranteed to work if the client machine is disguising its identity via a firewall, etc.

Comments

  • Anonymous
    May 09, 2005
    The comment has been removed

  • Anonymous
    May 09, 2005
    When I hear these kind of questions I always ask them to back up another step--why do you want the machine name? Often it's because they're trying to do something that either can or should be done differently. For example, a computer name is not unique so it can't be used (at least by itself) as a unique identifier.

    So what DID he/she want it for?

  • Anonymous
    May 09, 2005
    Oh yeah:

    http://blogs.msdn.com/ericlippert/archive/2003/11/3.aspx

    The question was from one of our product support guys, who was passing along a question from a customer. I never did find out what the customer was trying to do.

  • Anonymous
    July 20, 2006
    The comment has been removed

  • Anonymous
    December 28, 2006
    Lalit, the code works like magic! Thanks mate!

  • Anonymous
    February 21, 2007
    I wanted to know it for the purpose of IT Support on our company intranet. We use the computer name for a number of things including (but not solely) VNC. Mostly, I need to know it because my manager told me I did!

  • Anonymous
    March 09, 2007
    this is not working. it returns ip address, not computer name.

  • Anonymous
    May 02, 2007
    The comment has been removed

  • Anonymous
    June 04, 2007
    Error Type: WshShell.Exec (0x80070005) Access is denied

  • Anonymous
    June 20, 2007
    It works for me Function getComputerName() Dim oShell Dim oExec Set oShell = CreateObject("WScript.Shell") Set oExec = oShell.Exec("hostname") sOutput = oExec.StdOut.ReadAll Set oExec = Nothing Set oShell = Nothing getComputerName = sOutput end Function

  • Anonymous
    June 28, 2007
    you know what these codes will just excute the commands on the server and not on the clients pc... i think i'm getting the conclusion of this and that is we can't get the computer name of the client pc.

  • Anonymous
    October 04, 2007
    this is not working at all, if that becuase i use free hosting? any way, what type of information can i get from  machine, IP is not refernce to know who visit my site. if thier code for that thanks

  • Anonymous
    February 09, 2009
    The comment has been removed

  • Anonymous
    March 01, 2009
    LOL - not good argument for why client names cannot be returned... sort of silly to worry about given that they need to be inside the firewall already to exploit client names. Worse client IPs are returned and if they are not RFC 1918  attackers do not need client hostname. Client hostname is about as useful as RFC 1918 local IP...not useless but easily forgone when you already have network access inside firewall & can scan

  • Anonymous
    March 01, 2009
    Pretty sure there is a way for client side script to return the localhost environmental variable to server (Windows/Linux/OS X) but I am not coder. I was looking for example of coding myself for a bet.